16007: Roles are owned by system user

author Peter Amstutz <peter.amstutz@curii.com>

Mon, 1 Jun 2020 22:03:56 +0000 (18:03 -0400)

committer Peter Amstutz <peter.amstutz@curii.com>

Wed, 17 Jun 2020 17:57:25 +0000 (13:57 -0400)
author Peter Amstutz <peter.amstutz@curii.com>
Mon, 1 Jun 2020 22:03:56 +0000 (18:03 -0400)
committer Peter Amstutz <peter.amstutz@curii.com>
Wed, 17 Jun 2020 17:57:25 +0000 (13:57 -0400)
diff --git a/services/api/app/models/group.rb b/services/api/app/models/group.rb

index e16433c8157660d7a486879555ef61406557d772..21e57e143ee0dcd5302444593b2308881d368c2c 100644 (file)
--- a/services/api/app/models/group.rb
+++ b/services/api/app/models/group.rb
@@ -25,6 +25,8 @@ class Group < ArvadosModel
    before_update :before_ownership_change
    after_update :after_ownership_change
  
+  after_create :add_role_manage_link
+
    after_update :update_trash
    before_destroy :clear_permissions_and_trash
  
@@ -114,4 +116,33 @@ delete from trashed_groups where group_uuid=$1
      end
      true
    end
+
+  def ensure_owner_uuid_is_permitted
+    if group_class == "role"
+      @role_creator = nil
+      if new_record?
+        @role_creator = owner_uuid
+        self.owner_uuid = system_user_uuid
+        return true
+      end
+      if self.owner_uuid != system_user_uuid
+        raise "Owner uuid for role must be system user"
+      end
+      raise PermissionDeniedError unless current_user.can?(manage: uuid)
+      true
+    else
+      super
+    end
+  end
+
+  def add_role_manage_link
+    if group_class == "role" && @role_creator
+      act_as_system_user do
+       Link.create!(tail_uuid: @role_creator,
+                    head_uuid: self.uuid,
+                    link_class: "permission",
+                    name: "can_manage")
+      end
+    end
+  end
  end
diff --git a/services/api/test/fixtures/groups.yml b/services/api/test/fixtures/groups.yml

index a64970e60f7456a004139f1f11fca57554910cd3..e328e9a1b51378e362b13994166b8975fd33c16a 100644 (file)
--- a/services/api/test/fixtures/groups.yml
+++ b/services/api/test/fixtures/groups.yml
@@ -18,14 +18,14 @@ private:
  
  private_role:
    uuid: zzzzz-j7d0g-pew6elm53kancon
-  owner_uuid: zzzzz-tpzed-xurymjxw79nv3jz
+  owner_uuid: zzzzz-tpzed-000000000000000
    name: Private Role
    description: Private Role
    group_class: role
  
  private_and_can_read_foofile:
    uuid: zzzzz-j7d0g-22xp1wpjul508rk
-  owner_uuid: zzzzz-tpzed-xurymjxw79nv3jz
+  owner_uuid: zzzzz-tpzed-000000000000000
    name: Private and Can Read Foofile
    description: Another Private Group
    group_class: role
@@ -95,7 +95,7 @@ asubproject:
  
  future_project_viewing_group:
    uuid: zzzzz-j7d0g-futrprojviewgrp
-  owner_uuid: zzzzz-tpzed-xurymjxw79nv3jz
+  owner_uuid: zzzzz-tpzed-000000000000000
    created_at: 2014-04-21 15:37:48 -0400
    modified_by_client_uuid: zzzzz-ozdt8-brczlopd8u8d0jr
    modified_by_user_uuid: zzzzz-tpzed-xurymjxw79nv3jz
author	Peter Amstutz <peter.amstutz@curii.com>
	Mon, 1 Jun 2020 22:03:56 +0000 (18:03 -0400)
committer	Peter Amstutz <peter.amstutz@curii.com>
	Wed, 17 Jun 2020 17:57:25 +0000 (13:57 -0400)
services/api/app/models/group.rb		patch \| blob \| history
services/api/test/fixtures/groups.yml		patch \| blob \| history